7.7 KiB
About WELA
WELA (Windows Event Log Analyzer, ゑ羅) is a tool for auditing Windows Event Log settings and log file sizes. Windows Event Logs are essential for Digital Forensics and Incident Response (DFIR), offering insights into system activity and security events. However, Default Windows Event Log settings often cause issues—such as small log sizes, weak audit policies, and blind spots in detection—that hinder effective investigations. WELA helps identify these issues and provides actionable recommendations to improve log settings and strengthen security visibility.
Companion Projects
- EnableWindowsLogSettings Yamato Security's Windows Event Log Configuration Guide For DFIR And Threat Hunting.
- EventLog-Baseline-Guide A tool to visualize detection gaps in Sigma rules and major Windows Event Log configuration guides.
- WELA-RulesGenerator A tool for generating WELA's Sigma rule-related config files.
Table of Contents
- About WELA
- Companion Projects
- Table of Contents
- Screenshots
- Features
- Downloads
- Command List
- Command Usage
- Contribution
- Bug Submission
- License
- Contributors
- Acknowledgements
Screenshots
Startup
audit-settings (stdout)
audit-settings (gui)
audit-settings (table)
audit-filesize
Features
- Audit Windows Event Log Audit policy settings.
- Checking based on the major Windows Event Log Audit configuration guides.
- Checking Windows Event Log audit settings based on real-world Sigma rule detectability.
- Audit Windows Event Log file sizes and suggest the recommended size.
Prerequisites
- PowerShell 5.1+
- Run PowerShell with Administrator privileges
Downloads
Please download the latest stable version of WELA from the Releases page.
Running WELA
- Unzip the release zip file.
- Open PowerShell with Administrator privileges.
./WELA.ps1 helpto run WELA.
Command List
audit-settings: Check Windows Event Log audit policy settings.audit-filesize: Check Windows Event Log file size.update-rules: Update WELA's Sigma rules config files.
Command Usage
audit-settings
audit-settings command checks the Windows Event Log audit policy settings and compares them with the recommended settings from Yamato Security, Microsoft(Sever/Client), and Australian Signals Directorate (ASD).
RuleCount indicates the number of Sigma rules that can detect events within that category.
audit-settings command examples
Check by YamatoSecurity(Default) recommend setting and save to CSV:
./WELA.ps1 audit-settings
Check by Australian Signals Directorate recommend setting and save to CSV:
./WELA.ps1 audit-settings -BaseLine ASD
Check by Microsoft recommend setting (Server) and Display results in GUI:
./WELA.ps1 audit-settings -BaseLine Microsoft_Server -OutType gui
Check by Microsoft recommend setting (Client) and Display results in Table format:
./WELA.ps1 audit-settings -BaseLine Microsoft_Client -OutType table
audit-filesize
audit-filesize command checks the Windows Event Log file size and compares it with the recommended settings from Yamato Security.
audit-filesize command examples
Check Windows Event Log file size by YamatoSecurity recommended settings and save to CSV:
./WELA.ps1 audit-filesize
update-rules
update-rulese command examples
Update WELA's Sigma rules config files:
./WELA.ps1 update-rules
Other Windows Event Log Audit Related Resources
- A Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why
- Audit Policy Recommendations
- Configure audit policies for Windows event logs
- EnableWindowsLogSettings
- Windows event logging and forwarding
- mdecrevoisier/Windows-auditing-baseline
- palantir/windows-event-forwarding
Contribution
We would love any form of contribution. Pull requests, rule creation, and sample logs are the best, but feature requests notifying us of bugs, etc... are also very welcome.
At the least, if you like our tools and resources, then please give us a star on GitHub and show your support!
Bug Submission
- Please submit any bugs you find here.
- This project is currently actively maintained, and we are happy to fix any bugs reported.
License
- WELA is released under MIT License
Contributors
- Fukusuke Takahashi (core developer)
- Zach Mathis (project leader, tool design, testing, etc...) (@yamatosecurity)
Acknowledgements
- Australian Cyber Security Centre: Windows event logging and forwarding
- Microsoft: Advanced security auditing FAQ
- SigmaHQ
You can receive the latest news about WELA, rule updates, other Yamato Security tools, etc... by following us on Twitter at @SecurityYamato.